Certificate Management
Client and Server Certificates
RKE2 client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time RKE2 starts.
Rotating Client and Server Certificates Manually
To rotate client and server certificates manually, use the rke2 certificate rotate
subcommand:
# Stop RKE2
systemctl stop rke2-server
# Rotate certificates
rke2 certificate rotate
# Start RKE2
systemctl start rke2-server
Individual or lists of certificates can be rotated by specifying the certificate name:
rke2 certificate rotate --service <SERVICE>,<SERVICE>
The following certificates can be rotated:
admin
, api-server
, controller-manager
, scheduler
, rke2-controller
, rke2-server
, cloud-controller
, etcd
, auth-proxy
, kubelet
, kube-proxy
.